What must a Cream franchisee do if they receive a communication or request from a customer regarding access, correction, or deletion of Personal Information?
Cream Franchise · 2025 FDDAnswer from 2025 FDD Document
During and after the Term, you (and if you are conducting business as an Entity, each of your owners) agree to, and to cause your respective current and former employees, representatives, affiliates, successors, and assigns to: (1) process, retain, use, collect, and disclose all Personal Information only in strict accordance with all applicable laws, regulations, orders, the guidance and codes of practice issued by industry or regulatory agencies, and the privacy policies and terms and conditions of any applicable Digital Presence; (2) assist us with meeting our compliance obligations under all applicable laws, regulations, and orders relating to Personal Information, including the guidance and codes of practice issued by industry or regulatory agencies; and (3) promptly notify us of any communication or request from any customer or other person to access, correct, delete, opt-out of, or limit activities relating to any Personal Information.
If you become aware of a suspected or actual breach of security or unauthorized access involving Personal Information, you will notify us immediately and specify the extent to which Personal Information was compromised or disclosed. You also agree to follow our instructions regarding curative actions and public statements relating to the breach. We reserve the right to conduct a data security and privacy audit of any of your Shop and your Computer Systems at any time, from time to time, to ensure that you are complying with our requirements.
Notwithstanding anything to the contrary in this Agreement or otherwise, you agree that we do not control or own any of the following Personal Information (collectively, the "Restricted Data"): (i) any Personal Information of the employees, officers, contractors, owners, or other personnel of you, your affiliates, or your Shop; (ii) such other Personal Information as we from time to time expressly designate as Restricted Data; and/or (iii) any other Personal Information to which we do not have access. Regardless of any guidance we may provide generally and/or any specifications that we may establish for other Personal Information, you have sole and exclusive responsibility for all Restricted Data, including establishing protections and safeguards for such Restricted Data; provided, that in each case you agree to comply with all applicable laws, regulations, orders, and the guidance and codes of practice issued by industry or regulatory agencies applicable to such Restricted Data.
Source: Item 23 — RECEIPTS (FDD pages 61–192)
What This Means (2025 FDD)
According to Cream's 2025 Franchise Disclosure Document, if a franchisee receives any communication or request from a customer to access, correct, delete, opt-out, or limit activities relating to their Personal Information, the franchisee must promptly notify Cream. This requirement ensures that Cream is aware of and can assist with compliance obligations related to Personal Information under applicable laws and regulations. This applies during and after the term of the franchise agreement.
In addition to notifying Cream of such requests, the franchisee must also process, retain, use, collect, and disclose all Personal Information strictly in accordance with all applicable laws, regulations, orders, guidance, and codes of practice issued by industry or regulatory agencies, as well as the privacy policies and terms and conditions of any applicable Digital Presence. The franchisee is also obligated to assist Cream in meeting its compliance obligations under all applicable laws, regulations, and orders relating to Personal Information.
Furthermore, if a Cream franchisee becomes aware of a suspected or actual breach of security or unauthorized access involving Personal Information, they must notify Cream immediately and specify the extent to which Personal Information was compromised or disclosed. The franchisee must also follow Cream's instructions regarding curative actions and public statements related to the breach. Cream retains the right to conduct data security and privacy audits of the franchisee's shop and computer systems to ensure compliance with these requirements.
However, Cream franchisees have sole and exclusive responsibility for Restricted Data, which includes the Personal Information of the employees, officers, contractors, owners, or other personnel of the franchisee, its affiliates, or its Shop; such other Personal Information as Cream from time to time expressly designates as Restricted Data; and/or any other Personal Information to which Cream does not have access. Franchisees must establish protections and safeguards for such Restricted Data, while still complying with all applicable laws, regulations, orders, and the guidance and codes of practice issued by industry or regulatory agencies applicable to such Restricted Data.